Exchange 2013: How to access Mailbox Auditing data
In the previous session we have discussed how to enable and disable Mailbox audit logs in Mailbox audit in 2013. In this session we will see how to access the logs and find who has made the changes on the shared mailbox.
Mailbox Audit logs is generated for the mailboxes for which the mailbox audit is enabled and this will be retained for 90days in the audit subfolder.
Audit logs include different auditing types as below:
• User Actions (Accessing, Copying, Creating, moving/deleting messages)
• Performing SendAs/SendOnBehalf actions
• Reading/Previewing Message
• Client IP Address
• Client Hostname
• Process that client used to access the mailbox
We can get the details of the audit log file using the below command:
Get-Mailbox ExchangeTeam | Get-MailboxFolderStatistics –FolderScope RecoverableItems | fl name,foldersize
To Explain audit logging, I have assigned the account ExchangeTeam FullAccess and SendAs permissions to James mailbox. James logged in to Exchangeteam mailbox and made few changes.
We can search the audit log in 3 ways as below:
Synchronously, by using Search-MailboxAuditLog cmdlet which searches one or more mailboxes and displays the results in the EMS window;
Asynchronously, by using New-MailboxAuditLogSearch to search one or more mailboxes and send the results by e-mail to the specified recipients in a XML document;
By using the Auditing tab in the ECP to run auditing reports or export entries from the mailbox audit log.
Using Search-MailboxAuditLog cmdlet
Search-MailboxAuditLog –Identity “ExchangeTeam” –LogonType Delegate -ShowDetails
You can see James logged in to ExchangeTeam mailbox and replied to 2 emails sub: Congratz and Need information in the below screenshot
Operations like MessageBind, SendsAs or Create log the Item Subject as you can see from the screenshot below. It also tells us that the client used was Outlook Web App [OWA]
- Using New-MailboxAuditLogSearch:
New-MailboxAuditLogSearch –StartDate “10/08/2011” –EndDate “10/09/2011” –Mailboxes ExchangeTeam –LogonTypes Admin –StatusMailRecipients ExchangeTeam@MSExchangeGuru.Local –ShowDetails
NOTE: If no mailboxes specified, it will search for all the mailboxes for which the Mailbox audit is enabled.
Once the search will finish you can find event id 4003 under application event log and an email sent to the id which was mentioned in StatusMailRecipients.
- Using the Auditing tab in the ECP:
NOTE: We can bypass the audit for special accounts like BESadmin account, Quest service accounts using the below command:
Set-MailboxAuditBypassAssociation BESAdmin -AuditBypassEnabled $True
Microsoft MVP | Exchange Server